cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
HTCPCP-TEA
Contributor I

Looking for Advice on Next Steps!

Hi All,

 

Ok, so I'm hoping to have the CISSP sewn up in the next month or so (Exam Done, Endorsement Done, just waiting for ISC2 to rubber Stamp and send back), and my Question is Where does one go from here?

 

For context, I have no worries about achieving the required Experience (I'm 10 years deep into InfoSec/ITSec), and I'm a "reformed" or rather "re-directed" person with particular skills. The Certified Ethical Hacker is my next stop comfortably just as it's a certification close to my heart, but it holds no context on where I go for my next certification.

 

I'm very aware that there are concentrations of CISSP to look at, but what is the general consensus on good routes to follow if one aspires to hit the heights of CISO or indeed CTO over the course of their career?

 

Cheers All.

 

 

 

 

18 Replies
CISOScott
Community Champion

If you aspire to join the ranks of CISO's you will need to increase your management skills and management experiences. This is how I did it.

I joined teams and looked for volunteer opportunities. It just so happened that one of the volunteer teams lost their team leader, so I took that role. I was then able to put on my resume that I was a team lead. I also rose in the ranks with my experience and became a journeyman in the trade I was in at the time. An opportunity came up for me to serve as relief supervisor, for periods when the supervisor was out. Even though there was no increase in pay, there was an increase in responsibilities/experience that I could put on my resume.

Building up management type experiences will be key to someone hiring you into your first management role.

Look for team lead type activities and for jobs that lead to an increase in leader-type roles.

 

Probably the thing that helped me the most was undertaking a Master's program. I learned a lot about management in those classes. Read management/leadership/business books and learn what it takes to be both a good manager and a good leader. And yes, there are differences between the two.

 

Certifications alone will not lead you to a CISO position. Having them helps cross off some check boxes, but in the interviews I did yesterday we didn't spend more than 3 minutes discussing them. We discussed a lot about these things:

1) Did the candidate have the requisite experience to fill the role? Both technical expertise and management/leadership experiences.

2) Did the candidate answer the questions we asked, or did they try to dazzle us with BS?

3) Did the candidate have the ability to work with senior management or were they too rigid/inflexible?

4) How could we see ourselves interacting with this individual?

5) Did we think they were a good fit?

 

So if your interviewing skills are not good, you will need to practice those.

 

Beads
Advocate I

As far as pentesting certs go I would redirect my attention to OSCP and/or SANS GPEN. You'll get far more ROI than that other cert you mentioned above. If your looking for more hands on experience keep in mind that InfoSec appears to be moving in two directions at once. Those two camps being: DevSecOps and a business oriented camp full of policy, procedures, guidance and standards combined with risk. The field is getting too big to contain both camps and will likely split. Plan your career accordingly.

 

Yeah, yeah, go ahead and disagree.

Baechle
Advocate I

Carl, (@HTCPCP-TEA)

 

For C-suite positions you're looking at needing to speak the language of business.  Additionally, folks at this level come with professional education along with experience.

 

I recommend you further or begin your professional education career in either Accounting, Business Management, or Law.  Preferably you want to reach the graduate (Masters) level, but even a Bachelors will start you on the right path.  An associates degree is too light, unless you dual major such as obtaining an Associates in Accounting and a Bachelors in Business Management.

 

CISO, CTO and CIO type positions require technical knowledge at the conceptual level.  Unless you are literally the only "technologist" employee, you will be mentoring your subordinates and setting policy and direction for your organization.  Once you have that down, circle back around for a IT-specialist qualification in management like the ISSMP or CISM.

 

Sincerely,

 

Eric B.

MiniMe
Newcomer I

@Beads would your opinion change about the CEH if the person is new to pen-testing? 

 

Going from CEH to OSCP seems like a better option than going directly to OSCP for someone who doesn't have pen-test experience imho.

 

Just curious of your take on the subject with this additional info.

 

Thanks,

JohnZ

Beads
Advocate I

No. I have taken and passed the exam in two different releases over the years to satisfy an external requirement. Will say that both requirements were contractual in nature and the only reason to take the exam was to satisfy those government contractor requirements.

 

Today, you will not find any EC-Council on my current resume. Nor do I see the benefit outside of the US Government requirements. There are however, exams that do earn respect: SANS GPEN and OSCP. Combined with experience and some ability to script some useful java and/or Python and you can go far.

 

(*Unclenching my jaw*)

 

Good luck with your studies!

MiniMe
Newcomer I

Thank you very much for the response...
HTCPCP-TEA
Contributor I

Thanks to all that have responded so far.

 

I appreciate the differing opinions, the responses that challenge thought are most interesting.

 

To clarify, Management is already within my background. I started early, military leadership came naturally, ranking higher than most could have dreamed of at that age.

 

I also spent 7 further years managing business prior to pivoting into InfoSec.

 

I would very much like to debunk the myth that a Masters or indeed any sort of Degree is "needed" to attain any position. It's a sad reality that such directives as "Applicants should have a bachelor's degree..." etc. even exist. Applications received with such honours should of course hold some extended value, but should never be a pre-requisited to favour ignorance of a candidate that is suitably qualified through Experience, in my opinion.

 

Experience, Real-World education, with a splattering of certification to validate some of that experience could be looked at in a more positive way. Some of the most effective Executive level staff, COO's, CTO's and indeed CEO's I've had the pleasure of working for or with, have only stepped into Universities to collect their honourary degree's or fellowships.

 

I'm all in favour of choosing your own route, and the fact that my initial post has prompted thought makes it worth writing. 

 

To be clear, I'm not disagreeing or prompting reaction from anyone who has taken the time to reply, I'm just keen to understand the inner workings of other minds.

 

Many thanks!

 

*If you truly want to do somthing, you will go and do it. Or, you will find a good enough excuse to not. *

Baechle
Advocate I

Carl,

 

It's apparent that you've had a spectacular career from your description. 

 


@HTCPCP-TEA wrote:

To clarify, Management is already within my background. I started early, military leadership came naturally, ranking higher than most could have dreamed of at that age.

 

I also spent 7 further years managing business prior to pivoting into InfoSec. 

 

As someone who as had a similar spectacular career, I can relate.  I attained my positions on account of the relationships with and graces of people who mentored me, took chances on me, and offered me those opportunities.  Degrees (when I eventually earned my first one in my 30's) assisted me in proffering my abilities when my experience did not directly translate to the position I was pursuing.

 

That being said, I recognize the difference between outstanding and conventional.  It appears though that you weren't looking for advice in a conventional career, because you already have the experience in senior level leadership that you would need so as not to have to rely on generic conventional advice in this forum.  As a result, the following comment you make is irresponsible:


@HTCPCP-TEA wrote:

 

I would very much like to debunk the myth that a Masters or indeed any sort of Degree is "needed" to attain any position. It's a sad reality that such directives as "Applicants should have a bachelor's degree..." etc. even exist. Applications received with such honours should of course hold some extended value, but should never be a pre-requisited to favour ignorance of a candidate that is suitably qualified through Experience, in my opinion.

 

Experience, Real-World education, with a splattering of certification to validate some of that experience could be looked at in a more positive way. Some of the most effective Executive level staff, COO's, CTO's and indeed CEO's I've had the pleasure of working for or with, have only stepped into Universities to collect their honourary degree's or fellowships.

Most people do not have career trajectories like ours, and it's irresponsible to provide mentorship and advice assuming as much.  If you're going to say something like this, then you should caveat it the same way we caveat things like careers in professional sports or Hollywood.  Not everyone gets a trophy just for showing up.  You either have to know someone who's going to give you a break, or you have to have cultivated and demonstrated the skills some way - Professional Education and degrees are a method to attain both when you have neither.

 

Exceptional opportunities are just that, exceptional.  It's one thing to say, "Hi, I'm Bill Gates, I'd like to come manage your company," and completely another to say, "Hi, I've been a generic IT guy for the last 10 years with no experience or education in business/finance decision making, I'd like to come manage your company."

 

 

HTCPCP-TEA
Contributor I

Hello Eric,

 

I would suggest the term "irresponsible" is a little subjective perhaps? As my whole thesis is based around experience and opinion, it serves to reason that the content of my previous post be, at least partly, a tonic to those who may not have the option of attaining educational standards such as degrees.

 

I would actually advocate doing things in whatever way suits you personally, and of course proffessionally. If someone wants to earn a degree there is no issue, and this is why I say it shoudl still hold some extended value. I simply wanted to rebuff the impression that one MUST have a formally recognised "higher education" to succeed, as this is simply not the case.. I am NOT devaluing such qualifcations, simply offering an alternative way of thinking.

 

In a world that is slowly seeing younger generations priced out of such an education, it is reasonable to look for alternative routes to get to a level above what one may be percieved as being held at, is it not?. Would it not be irresponsible to allow such generations to believe they can not get there, because they don't hold a degree? I struggle to see why one would caveat such a thing, as it is likely to apply to more people than it might not, again this is just my opinion, and not in any way backed by statistics at this time.

 

Please don't take this as an attack on those who hold degrees or indeed yourself. I'm happy in the knowledge that at least such things can be discussed honestly here.

 

Regards